There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.
If this question can be reworded to fit the rules in the help center, please edit the question.

Disable usb mounting and email port (or remove the client entirely). People could still remember what they have seen and copy some information in that way. You would probably be better off including confidentiality clauses in contracts and highlight data protection act rules.
–
JamesJan 26 '11 at 13:58

If the government cannot keep classified information from being released, I don't think a company can do any better. No matter what technical measures are in place, the weak spot is always the people.
–
KeithBJan 26 '11 at 16:34

Pretty much this. Trust is almost all you can have. You can limit using USB sticks with Lumension (as i mentioned in my post in the comments). But for E-Mails you can pretty much do nothing.
–
sinni800Jan 26 '11 at 14:20

Don't forget they can also take a photo of the screen or print a screen capture as well. @sinni800: Emails you can do a lot: don't give them access to an email client, block the port at the firewall, or don't give them access to the internet at all from their desk, for instance. But @akira is right; there are ways around almost everything except happy employees.
–
Ken WhiteJan 26 '11 at 14:24

+1 from me: It's as simple as "you can't get there from here." There's also the "security is a process" epithet.
–
afrazierJan 26 '11 at 14:25

@KenWhite: Sure, but very often, company employees NEED email access. Also I know that you could also easily embed text into a picture. You can also not allow USB Sticks at all and control printing. Though it all comes down to that you need trust.
–
sinni800Jan 26 '11 at 14:34

1

You left out educated. Most hacks come from social engineering.
–
KeltariApr 29 '13 at 5:52

The problem of data loss prevention (DLP) is one of the most difficult to solve in information security. As we saw with the Wikileaks After-Action Report disclosure, even organizations with a strong will for security, non-disclosure agreements, a non-Internet-connected network, and employees with security clearances have unauthorized disclosures.

I mention that to make the point that this is a battle, one you're not likely to win 100%. That being said, here are some steps you can take.

First and foremost, follow the principle of least privilege. If HR doesn't need access to your manufacturing data, don't give it to them. Only allow as much access as is necessary for that person/group to get their job done. There is expensive software that can scan all outoging Internet traffic at a company, including SSL. You can disable USB disk drives by disabling the USB Mass Storage Class driver in your operating systems (there is a free way to do this using Windows Active Directory). You can install outgoing email quarrantine software. You can disable CD writers.

You mention encryption. That is a good idea for general DLP, but not for the specific threat you present. Encryption does not prevent copying by people authorized to view the information. Even if you did encrypt the data in your important files, which you classify as .doc or .xls, nothing stops them from exporting the data in another format like .odt. Plus, if someone can view the file, nothing stops them from taking a screenshot or using their cameraphone to take a picture of the data.

The best bet in a small company is to follow the principle of least privilege, take inexpensive steps to prevent USB leakage, create loyalty in your employees, maintain good morale, and have a strong non-disclosure agreement signed by everyone in the company.

Etam: This problem has existed for ages -- ever since guilds were invented in Europe. The modern solution is to write an Employee Handbook, know it well, and ask the employees to sign-off that they have read it. Intellectual property and security should just be one chapter in the handbook.

You will find that a) the Handbook limits bad behavior in a plethora of areas; and b) the handbook can be a useful tool to measure the overall quality/compliance of an employee's work.

As one of the commentators mentioned, building trust is also essential. Trust comes from 1) knowing the kind of people you hire; 2) fully explaining to them the expectations of the job (and not just entirely making it up as you go). Think of the Employee Handbook as the list of 12-20 rules that appear at most public pools (at least here in the U.S.). It will contribute greatly to the order of your office, without resorting to a bunch of yelling and tears.

Oh, and if it comes down to one bad apple, I recommend you secure competent legal advice and sue anyone who breaches your security under contract law and applicable intellectual property statutes. Speak softly and carry a big stick.

I need a solution that employees can read/write documents but can not copy to USB drive or e-mail them.
–
EtamJan 26 '11 at 13:36

take the mouse, mark the text .. open outlook, right click and press "insert".. there goes your encryption.
–
akiraJan 26 '11 at 14:04

@Etam Oh sorry, I didn't realize you meant to block users from sending or putting stuff on USB sticks. But try "Lumension Endpoint Security" for the USB Stick thing. It allows you to prevent files other than specified file formats to be put on a USB stick. For the E-Mail thing... You can't do anything pretty much, except for going all out and indexing every document, reading every email programmatically :)... But that would be bogus, I think.
–
sinni800Jan 26 '11 at 14:18

There is a GPO for Windows Server that disables USB storage devices on client machines. Along with allowing outgoing email to only specified contacts, you can make things at least a lot more difficult.